The leader of a malicious hacker collective who used his job as a security guard to breach sensitive Texas hospital computers has been arrested just days before his group planned a "massive DDoS" attack for the July 4 Independence Day holiday. Jesse William McGraw, 25, of Arlington, Texas, was taken into custody late Friday …
How stupid can people be?
I mean to leave evidence that lets anyone and their mother know who you are, and to do something like this is just absolutely retarded. Seeing as he is in Texas and what could have happened had someone been in the operating room and died chances are he will get death :P
Hope they shove this up his backside.
"It really shows how dangerous even a low-skilled attacker can be."
No - it shows how dangerous an unsecurable operating system can be.
A new kind of "summerfag"
"It's all about respect and fame and the respect of their equally weird peers."
It's all about about retardedness and being the most mentally challenged unemployable jerk in the cracker ghetto.
10 years in the slammer should help
This type of malicious hacking deserves ten years or more to "educate" the perp.
First of all, this dude is lame, who would brag about pwning a freaking hospital HVAC unit. It's like walking into a school with a gun, yeah wow look at you, your cool.
Hospitals for the most part are half-hazardously protected from attacks of all levels. I took a tour of one of our local hospitals and it was scary that they had no camera units, and only a few contracted foot guards with no weapons.
Hospitals seem to be as virgin territory as our schools are just waiting for nuts to come in and have a field day.
I wonder how cool this guy will be in jail, maybe he'll run into the maytag man and they can talk appliances.
This guy is no hacker, he's sub-script kiddy even.
The title really should be, "Idiot uses skills possessed by most twelve year olds to DDoS attack a grossly insecure IT system in use by a hospital"
What a complete
Hopefully soon to be a cell companion of Bubba!
maybe strange idea, but should we have a law which requires to pass annual security audit for organization like hospitals, railway systems, airports, ....
The Really Scary Part
Is the fact some 3rd party was able to track the "hacker" down. Yes, I know he posted a lot of stupid incriminating evidence but the sleuth that found him used Craigslist as one the the tools in finding him.
That's scary and potentially a great way to join the Craigslist Murderer/Rapist club if you troll enough boards that post IP's then compare them with Craigslist ads or the reverse...
If ETA really is planning a "massive DDoS" how does arresting this guy avert it?
a bunch of the boys were whooping it up...
McGrew vs. McGraw. Where's Robert W. Service when we need him?
Seriously, though. Congrats to McGrew. Tell MSU to give him a raise, or at least tenure.
@ AC 22:59
If someone has physical access to a PC, then they can root it - no matter what operating system is installed. You can slow someone down by locking the case, glueing covers on the USB ports and changing the BIOS manufacturer's backdoor password. Using Linux (or a BSD) provides some protection from remote attacks - depending on what demons you leave running and how you configure them. You still need to lock people out of the server room.
SCADA systems insecurity
If you've ever watched an "engineer" install a SCADA system, you'd know that these things are easy targets - they do a default install of an OS without hardening it or patching it, slap the SCADA software on top, say "job's a good 'un" and run away. It doesn't matter what platform the SCADA runs on - these guys could even turn VMS into an instant cracker magnet.
I acutally had to stop one SCADA engineer from "upgrading" a SCO Openserver box to Win95 because he mistook the Motif UI for Windows 3.1 !
Some of these things were never designed to be connected to a network, but some bright spark sees an ethernet port on the back of the box and instantly gets funny ideas. Insecure protocols and little or no authentication make these things a security nightmare.
Ask the manufacturers about turning off telnet/FTP/RSH or applying patches, and some of them will tell you that modifying the system in any way voids your warranty.
If he did maliciously adjust a hospital's HVAC system, then he doesn't deserve to live. Fucking with weak and helpless people does not generate respect. Quite the opposite, actually. For $deity's sake, even in times of war, you don't attack the medic or the hospital.
As for idiot AC @ 22:59 -- "No - it shows how dangerous an unsecurable operating system can be." -- who the hell said anything about an operating system? This guy had physical access to the systems. It wouldn't matter if they were running Windows, OSX, Linux, BSD, or OS/2; with physical access to the system, and especially with access to a logged-in terminal, no operating system could have stopped him. The weak links in this scenario were: 1) lack of application security; 2) lack of user education (as evidenced by the user leaving the terminal while logged in); and 3) lack of screen saver with password protection. Additional possible weak links were users leaving their passwords written down nearby, lack of physical security, and lack of identity verification.
what a week for stupidity eh ?
First it's murderous phreakers, now it's this witless wonder. Texas in July and hospital full of potentially frail patients when the aircon is scheduled to go breasts uppermosts......Throw the whole bookcase at him, then summon tthe hospital IT management and slap them around a bit until they realise that such functions should be secure. God knows what else this narcissistic microbrain could have gotten himself into.
"...I took a tour of one of our local hospitals and it was scary that they had no camera units, and only a few contracted foot guards with no weapons.
Jesus Christ man, come over to England and visit our hospitals.
Very few Cameras, one or two unarmed dudes who you *never* see.
In the UK we go to hospital to get better, and strangely we all seem to have that kind of respect built in.
I can't remember the last time we had a "nut-job" go round a hospital injuring the already injured.
Only in America would they
A) Not have the respect
B) Have the stupidity to hurt people in the only place where they can get patched up quickly
You don't here about the Swiss going mental and gunning people down do you, and they have more guns than people, just about.
Where would you stop James?
Cops with guns in schools, in birthing centres (where new mums recouperate)? Zoos? Parks? Work? Primary schools/kindergarten?
Glad to be in Europe, I am.
Hospital or torture theatre?
"air-conditioning systems that cool operating rooms and other critical areas of the Texas hospital, where temperatures regularly hit the triple digits"
Kelvin and I can understand it, Centigrade and I'm amazed.
...and am I right in thinking temperatures reguarly hit the triple digits *despite* the air conditioning?
The worst part about him? He used AOL!
He is obviously the devil incarnate and should be executed forthwith. (that's what happens to criminals in Texas, right?)
The the idiotic post of the day goes to...
@ AC 1st July 2009 22:59 GMT
"No - it shows how dangerous an unsecurable operating system can be."
No OS is secure if you have physical access to it even if the machine runs a linux distro or is a Mac...
Sounds like a sad bunch of losers with too much talent, too much time and no brains, desperate for their 15 mins in the spotlight!
It's all about respect
So, how much respect is due for having a "6 months AOL broadband" icon on your desktop worth?
The thread he posted. He states that the infection came form a torrent.
He is an Anon too.
See his GSM jammer on his vampire freaks page? Theyre easy to buy....
@ AC 22:59
Yeah blame the OS you Luser
"As so i found out, one of the users was torrenting and came accross my bot. So i got the rdp and logmein information, so there was no brainstorm but all payload."
read again ...
Somebody was torrenting on that machine, prolly a sys admin Which im guessing isnt allowed in a hospital.
So fuck all to do with the OS.
tbh the admin should of shut down the torrenting ports
@Hospital or torture theatre?
Just a minor point but
"showed off Wireshark and other hacking tools"
Wireshark is a network analyser, since when did it become a hacking tool? Yes, it *could* be used for hacking but by the same yardstick a pc is hacking tool, so is a modem (remember them?) or a router, notepad.exe......
As for the webcam over the door - since they were in fact watching him, perhaps he was not actually paranoid, even a bit low scoring in the common sense department.
Mine's the one with a web cam trained on each pocket so I can look back later and see where I put my keys....
@AC (not Air Conditioning) 08:22
Here in the US, Daniel Fahrenheit rules. As do pounds, feet, inches and miles.
where is my abusive post ??
Not Kelvin, not Celcius
"air-conditioning systems that cool operating rooms and other critical areas of the Texas hospital, where temperatures regularly hit the triple digits"
I assume that this is triple digits Farenheit.
RE: Hospital or torture theatre?
I think they mean in degrees above the temperature of icewater with salt in it, where tripple digits is over the body heat of some German bloke. For some reason our colonial cousins seem to love strange units of measurement.
AC @ 8.22
I would say Farenheit :)
deserves one of those ridiculouslyu long sentences they dish out in fantasy land USA.
Try A+E on a Friday/Saturday night in a big city in the UK. Epic fail for your 'respect for medics' theory.
Oh and that would be Fahrenheit that hits triple digits, some people dislike SI units.
Wow what an evil minded narcissistic
Just as well he also had a strong need for attention. This guy easily scores high at psychology bingo, for example, without even trying much we have such highlights as:
* Shows everyone he has power over people with screen shots to prove it
* Threatens to cause harm to others to also show he has power over people
* Seeks a job as a security guard, so he can act as if he has some power
* Seeks to bully the place he works and gains access to allow him to bully them
* Shows a very strong need for attention
Wow talk about having issues. He's really putting some effort into this. So basically he is an attention seeking bully. A Narcissistic combined with Histrionic. Given that kind of profile it strongly suggests he suffered childhood parental neglect and some kind of abuse and so is now taking his anger out on others. Its also interesting his target is a hospital, a place usually associated with giving care to people. So he is also able to hit out at carers, which also goes back to his anger at parents who should have be carers to him. So he's behaving like a milder less harmful version of so called, Angels of Death, health care workers who kill (full on serial killers who go into health care jobs to seek victims). In his case he is just showing he has the power to abuse others, although given his behavior, if he wasn't stopped he could easily have ended up killing.
@Trevor 3: “I can't remember the last time we had a "nut-job" go round a hospital injuring the already injured.”
In that case you must have been living in a cave. For example, from the British Medical Association: http://www.bma.org.uk/sc/employmentandcontracts/morale_motivation/violenceagainsthealthcareworkers.jsp
e.g. “Nearly half (43.1%) of junior doctors reported both physical and verbal abuse at work”.
And Trevor3, when you've finished reading that, then you can learn some more reading these cases:
This case is a good example of why narcissistics are such a problem and even at times a danger to everyone. (Yet ironically narcissistics seek and easily get into positions of power over people).
I don't know. Where are your manners?
It could happen here
I'm in IT in a big hospital - hence anonymous. While we impose sane IT security, the users don't -- we regularly find passwords stuck to screens and you can't just BOFH the department. Laying down the law is a management issue and they're too soft: it hasn't gone wrong yet, after all. Our staff turnover ("churn") is so great that there are always plenty of new faces around, so a new cleaner wouldn't attract attention so long as he had a staff ID and a bottle of Hospec.
Passwords stuck to screens is platform-independent. ;)
Screen Capture states BACtalk - Runs on Windows OS with unsecured webserver
Having been in the controls industry for over 20 years I can tell what happened from just looking at the screen capture on the 2nd page of the article.
The HVAC control system in question communicates via BACnet, an open protocol building management system. In this case, it appears that the "hacker" gained access to a poorly secured webserver component of the building management system.
It was probably wide open to the world because many "canned" specifications require that these systems be "accessible from any network users computer" especially the hospitals HVAC technicians who are probably looking at the system from their home PC (you know, the one their wife and kids use???!!!!)
All that would have happened is for one user to fall prey to a password sniffer and this "hacker" got root access.
This is one primary reason why we dislike BACnet, LONworks or other "Webserver" based HVAC control systems. The software cannot be easily modified by the control contractor, is inherently insecure since it is based on a "webserver" running on a Windows OS and in order to comply with many state and federal specifications, the system must be available to every network Luser in the building.
Outside network access must be strong password protected and the control system must require IP authentication of the remote access user as well. Use of proprietary communication protocols and secured ftp programs also helps to limit the potential for outside attacks such as this one.
This is a case of a Hospital administrator getting exactly what he didn't pay for. Lowest bid does not mean least costly.
The system was crap, probably installed by plumbers who had no idea what they were doing, who undercut legitimate HVAC control system vendors who know better and can provide a competent, secure system.
Oh, come on now... on that desktop their are shortcuts for WMP, "Dell Support", and "6 months of AOL". Obviously a complete noob.
I was also being impatient :D
Impatient *and* abusive. But er, honest at least, I suppose.
What abusive post is this? And why am I even asking you? You have no idea how many abusive posts I boot off here in a day. More at the moment, in fact, because I would like the world to be a kinder happier place.
Of course, this could never happen in the UK...
...Our hospitals don't have air conditioning...
Joke icon, but not actually too far from the truth
Again pure fail because he wanted to brag about it.
Just another skill-less idiot seeking attention
Most others have nailed the guy's character right-on, but I'd like to say that even if this idiot had no access to a computer, he's likely the kind of guy that would drop a roofie in your drink, key your car, or piss in your coffee, just " 'cause it's fun" Another emotionally stunted scumbag that could probably benefit from psychotherapy.
If we had someone enter a hospital and went around kicking the living poo out of staff and other patients alike it would be on the news, and then I'd start thinking that maybe we need some betruncheoned security guards in them.
I can understand(not condone) that we do have some physical abuse in hospitals, I don't think that there is one job in the world where you come into contact with the public at large and don't get a bit of abuse to be honest. You don't need an _armed_ guard in Curries or Tesco though do you? And footfall is bigger through there than a hospital, so you are bound to get more loonies in.
I live in Southampton, and have been in A&E a few times, even on a Friday (and a Saturday once) and mainly at night (my nipper being asthmatic, want some stats on night time attacks vs daytime?). I must have been seriously bloody lucky, because all the patients I saw were too pissed to do anything apart from puke. Which was funny. Well I enjoyed myself anyway.
I was surprised more than anything at James' shock at a hospital having no armed guards.
Thanks for the stats. But I still don't believe hospitals need armed guards.
As for doctors/health professionals killing people....that's been happening since there have been "doctors". Unfortunate, but also true.
Pint because....well, it's nearly Friday
re: It could happen here
"we regularly find passwords stuck to screens and you can't just BOFH the department"
i know it's easy to be critical, no matter how good IT team you have, budget can screw and stop quite a lot of projects... I really think that public or semi-public places which have computers everywhere like hospital, airports should NOT use password access. It should be hardware token with pin - something like this (http://www.cryptocard.com/products/cryptocardauthenticationtokens/sc-3usb-styletoken/)
He obviously just has a personality disorder and needs some help.
@AC - It could happen here
I used to work in IT in the NHS back in late 80's early 90's. We spotted that open terminals were a weak point (used thin clients) with passwords so what we did was give staff a barcode on the back of their badges that they needed to scan in addition to userid/password. Terminals already had barcode wands to scan barcodes from patient notes.
This was all done in house, in DOS. There really isn't an excuse with more modern equipment and facilities like smart cards we didn't have back then.
You forgot the most important security consideration:
0) Decent background check on the people you hire for your facility, especially the ones who are nominally in charge of physical security. Too many minimum wagers as rent-a-cops here in the states. It's a serious job that requires serious attention. Security shouldn't be Walmart door greeters. If you want a minimum wage door greeter, fine--hire one and give him the appropriate title. Don't hire a rent-a-cop for it. Security should be professional, and focused securing the facility. Security begins with access, and physical access trumps all other forms of access.
Otherwise you're spot on.
You can't secure everything, actually you can't secure most things, at least not in a way that is effective, allows work to be done and doesn't cost so much that it drives you out of business.
There are plenty of physical systems that are very vulnerable. You could walk into a hospital and idk ... start putting paperclips into power outlets and trip all their circuit breakers, snatch important paperwork sitting on desks and toss them into the trash, go to the bathrooms and dump all the rolls of TP into the toilet. Pull fire alarms.
Real world security relies on the assumption that people are reasonable nice and don't want to cause problems, and it usually take a strong profit motive for them to betray your trust.
So no you don't attempt to secure every computer system from abuse by people with physical access anymore than you put padlocks on every power outlet.
^Security, part 2
Security guards do not need access to IT equipment other than camera screens displaying the inside of a secured IT center.
This screw up was like an IT guy having keys to the facility's weapons closet.
On a related tangent, I think it is documented psychology that power hungry people will often vie for positions that give them more power. Police work, security guard, etc. This is why it isn't uncommon for cops to screw with teenagers as retribution for some ill towards them in high school. It probably also fuels "hackers" intents to cause problems for other people as a way to even the score psychologically.
so I was in a hospital in San Francisco today (couple hours after the good article came out) ... I was in a room with a nurse who put some info into DELL PC, then he left for 10 minutes.
1. I could do quite a lot. I did not touch it of course, but could (there was no password screen after he left), the computer was right next to me
2. the PC was sitting there, I could (again I did not) quickly plug keystroke catcher between keyboard and PC to get all key strokes (of course I do not own one, but I saw it I think on engadget while back)
(1) is big issues
(2) is issue, but very hard to protect thanks to kinda lack of industrial design (most of PCs for home and business are the same - easy to open and easy to re-plug)